On March 28, 2018, the Governor of Alabama, Kay Ivey, signed SB 318, the Alabama Data Breach Notification Act, which becomes effective June 1, 2018. Alabama is just behind South Dakota, which enacted its data breach notification statute this past March. (Click here for alert on South Dakota’s act).

While Alabama is the last state to enact such a statute, its legislation contains particularly stringent requirements for covered entities, including specific requirements for an assessment of a covered entity’s security and the disposal and destruction of another’s sensitive information if no longer needed. We summarize the key provisions below.

Who Must Comply?

The Act applies to “covered entities” and “third-party agents.”

A “covered entity” is broadly defined as any “person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.”

A “third-party agent” is anyone that has been “contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.”

What Data is Covered?

The Act defines an “individual” as any Alabama resident whose sensitive personally identifying information was or is reasonably believed to have been accessed because of a breach.

“Sensitive personally identifying information” (SPII) is defined as an individual’s first name/first initial and last name in combination with one or more of the following categories:

  1. Full Social Security or tax identification number;
  2. Full driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify identity;
  3. Financial account number combined with any security code, access code, password, expiration date, or PIN that is necessary to access or credit/debit the account;
  4. Medical history, mental or physical condition, medical treatment or diagnosis;
  5. Health insurance policy number, subscriber identification number, or any health insurance identifier; or
  6. User name or email address combined with a password or security question that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain SPII.

Notably, excluded from this definition is information that is publicly available or that is truncated, encrypted, secured, or modified in a way that removes the SPII elements or otherwise renders the information unusable. However, if a covered entity knows or has reason to know that the encryption key or security credential that could render SPII readable or useable has been breached, the Act’s obligations are triggered.

Reasonable Security Measures Must Be Implemented

The Act also sets forth certain security measures that covered entities and third-party agents must comply with. Each covered entity and third-party agent must implement and maintain “reasonable security measures” to protect SPII against a security breach. Unlike its counterparts in other states, the Alabama Act sets forth specific factors to be considered in assessing the “reasonableness” of any security measures:

  1. Designation of an employee(s) to coordinate the covered entity’s security measures;
  2. Identification of internal and external risks of a security breach;
  3. Adoption of appropriate information safeguards to address identified risks of a security breach and assess the effectiveness of such safeguards;
  4. Retention of service providers that are contractually required to maintain appropriate safeguards for SPII;
  5. Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of SPII; and
  6. Keeping a covered entity management and board of directors appropriately informed of security measures.

An assessment of a covered entity’s security will consider the adopted security measures as a whole (including the entity’s size, the amount of SPII and its uses, and the costs of security measures) with emphasis placed on the occurrence of “multiple or systematic” data security failures.

SPII Must Be Destroyed When No Longer Required

A covered entity or third-party agent must also take “reasonable measures” to dispose of records containing SPII when those records are “no longer required to be retained pursuant to applicable law, regulations, or business needs.” Disposal includes shredding, erasing, or any method rendering the SPII unreadable or undecipherable.

What Constitutes a Data Breach?

The Act defines a breach as “the unauthorized acquisition of data in electronic form” that contains SPII. Notably, the Act applies only to unauthorized access to data stored electronically or digitally on any computer system or other database (including recordable tapes and other mass storage devices). Many other states’ data breach statutes apply to hard documents also.

With regard to SPII that has been truncated, encrypted, secured, or otherwise modified, the security of such information will be considered breached if a covered entity knows or has reason to know that the encryption key or security credential that could render SPII readable or useable has been breached.

A breach does not include the good faith acquisition of SPII by a covered entity’s employee or agent (unless the information is used for a non-business or unauthorized purpose), the release of a public record not subject to confidentiality or nondisclosure requirements, or certain investigative, protective, or intelligence activity by state actors.

Acquisition by the same entity over a period of time constitutes one breach for purposes of the Act.

A Covered Entity Must Investigate a Suspected Data Breach

As an initial matter, if a covered entity becomes aware of a security breach in relation to any SPII that is accessed, acquired, maintained, stored, utilized, or communicated by the entity or on its behalf, the entity must conduct “a good faith and prompt investigation.” The investigation must include:

  1. Assessing the nature and scope of the breach;
  2. Identifying any SPII that may have been involved in the breach and the individual to whom it relates;
  3. Determining whether the SPII has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to affected individuals; and
  4. Identifying and implementing measures to restore the security and confidentiality of the compromised systems.

The Act sets forth specific factors that may be considered by a covered entity in determining whether SPII has been or is reasonably believed to have been acquired by an unauthorized person.

Who Must Be Notified?

A covered entity that determines upon investigation that SPII has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to affected individuals must give notice of the breach to each such individual. Notice is not required if a covered entity determines upon investigation that the breach is not reasonably likely to cause substantial harm to affected individuals. A determination that notice is not required must be documented in writing and maintained for at least 5 years.

If the number of affected individuals requiring notice exceeds 1,000, the covered entity must notify the Attorney General of Alabama. If the number exceeds 1,000 at a single time, the covered entity must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

If a third-party agent becomes aware of a security breach in the system that it maintains, then the agent must notify the covered entity. Unlike a covered entity, a third-party agent need not determine that a breach is reasonably likely to cause substantial harm before it is obligated to provide notice. It must notify the covered entity if it becomes aware of a security breach in the system that it maintains.

The Act permits a covered entity to contractually delegate its notification obligations to a third-party agent.

Further, any government entity subject to the Act that acquires and maintains SPII from a government employer and that is required to notify affected individuals must also notify the employing government entity of any affected individuals.

When Must Notice Be Sent?

Notifying Entity

Recipient of Notice

Requirements under the Act

Covered Entity

Affected Individuals Attorney General

Notice must be provided as expeditiously as possible and without unreasonable delay, but in any event within 45 days of the covered entity’s (1) receipt of notice from a third-party agent that a breach has occurred, or (2) a determination that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.

Covered Entity

Consumer Reporting Agencies

Notice must be provided without unreasonable delay.

Third-Party Agent

Covered Entity

Notice must be provided as expeditiously as possible and without unreasonable delay, but in any event no later than 10 days following the agent’s determination that a breach has or is believed to have occurred.

In What Form and Manner Must Notice Be Sent?

Notifying Entity

Recipient of Notice

Requirements under the Act

Covered Entity

Affected Individuals

Notice must be provided in writing and sent by mail or email to the individual’s address as maintained in the records of the covered entity. Substitute notice to affected individuals is permitted if the number of affected individuals exceeds 100,000, or if direct notice is made impossible by excessive cost (as defined in the Act) or the cover entity lacks sufficient contact information for the affected individual. Substitute notice may be provided by posting a conspicuous notice on the covered entity’s website for 30 days, circulating notice in print and in broadcast media (including major media in the areas affected individuals reside), or any form of notice approved by the Attorney General of Alabama.

Covered Entity

Attorney General

Notice must be provided in writing.

Covered Entity

Consumer Reporting Agencies

No specific requirements.

Third-Party Agent

Covered Entity

No specific requirements.

What Must the Notice Say?

Notifying Entity

Recipient of Notice

Requirements under the Act

Covered Entity

Affected Individuals

Notice must contain:

  1. Date or estimated date/date range of the breach;
  2. SPII that was acquired as part of the breach;
  3. Actions taken by the covered entity to restore the security and confidentiality of the compromised information;
  4. Steps an affected individual can take to protect against identity theft; and
  5. Contact information for the notifying entity.

Covered Entity

Attorney General

Notice must contain:

  1. Synopsis of the events surrounding the breach at the time notice is provided;
  2. Approximate number of affected individuals in the state;
  3. Any services related to the breach being offered without charge by the covered entity to individuals, and instructions on how to use the services; and
  4. Name, address, telephone number, and email address of the employee or agent of the covered entity who can provide additional information about the breach.

Covered Entity

Consumer Reporting Agencies

Notice must contain a description of the timing, distribution, and content of the notices provided to affected individuals.

Third-Party Agent

Covered Entity

No specific requirements but must provide information to enable covered entity to provide notices as required.

Government entities are exempt from civil penalties. However, government employees remain subject to injunctive actions by the Attorney General of the state.

An entity subject to, or regulated by, federal or state laws, rules, regulations, procedures, or guidance on data breach notification that are established or enforced by the federal or state government, whichever is applicable, is exempt as long as the entity: (1) maintains procedures as required by such laws; (2) provides notice to affected individuals as required by such laws; and (3) provides a copy of such notice to the Attorney General of Alabama when the number of individuals notified exceeds 1,000. In the case of state laws, the notice requirements must be as thorough as those provided by the Act.

Who May Enforce and What Penalties May Be Imposed?

The Attorney General of Alabama has the sole authority to bring an action for civil penalties under the Act. A covered entity may be subject to civil penalties as follows: (1) an amount up to $2,000 per violation but no more than $500,000 per breach if the entity knowingly violates the Act’s notice provisions; and (2) an amount not to exceed $5,000 per day for each consecutive day an entity fails to take reasonable action to comply with the notice provisions. Curiously, the Act does not impose civil penalties for violating the provisions requiring covered entities to maintain and implement reasonable security measures.

No private right of action is created by the Act. The Attorney General of the state also has the sole authority to bring an action in a representative capacity for actual damages incurred by affected individuals. A third-party agent that fails to notify a covered entity of a breach is also subject to fines and penalties.

Businesses that collect or maintain sensitive personally identifying information for Alabama residents in electronic or digital form should review their security measures, incident response procedures, and any agreements with third-party agents with counsel to ensure compliance with the new Act.